Jericho Forum

Last updated

The Jericho Forum was an international group working to define and promote de-perimeterisation. It was initiated by David Lacey from the Royal Mail, and grew out of a loose affiliation of interested corporate CISOs (Chief Information Security Officers), discussing the topic from the summer of 2003, after an initial meeting hosted by Cisco, but was officially founded in January 2004. It declared success, and merged with The Open Group industry consortium's Security Forum in 2014. [1]

Contents

The problem

It was created because the founding members claimed that no one else was appropriately discussing the problems surrounding de-perimeterisation. They felt the need to create a forum to define and solve consistently such issues. One of the earlier outputs of the group is a position paper entitled the Jericho Forum Commandments which are a set of principles that describe how best to survive in a de-perimeterised world.

Membership

The Jericho Forum consisted of "user members" and "vendor members". Originally, only user members were allowed to stand for election. In December 2008 this was relaxed, allowing either vendor or user members to be eligible for election. The day-to-day management was provided by the Open Group.

While the Jericho Forum had its foundations in the UK, nearly all the initial members worked for corporates and had global responsibilities, and involvement grew to Europe, North America and Asia Pacific.

Results

After the initial focus on defining the problem, de-perimeterisation, the Forum then moved onto focussing on defining the solution, which it delivered in the publication of the Collaboration Oriented Architecture (COA) paper and COA Framework paper.

The next focus of the Jericho Forum was "Securely Collaborating in Clouds", which involves applying the COA concepts to the emerging Cloud Computing paradigm. The basic premise is that a collaborative approach is essential to gain most value from "the cloud". Much of this work was transferred to the Cloud Security Alliance for use in its "guidance" document.

The final (major) piece of the Jericho Forum's work (from 2009) was around Identity, culminating in 2011 with the publication of their Identity, Entitlement & Access Management Commandments. [2]

In its final months the Jericho Forum contributed thinking to the debate around "Smart Data" and this was handed over to the Security forum within The Open Group to continue, while the work on Identity has been continued by the Global Identity Foundation.

Success and closure

The Jericho Forum declared success and sunsetted at the London conference of the OpenGroup on 29 October 2013 [3] (video).

The Jericho Forum work on identity has been carried on by the Global Identity Foundation, a not-for-profit organisation working to define the components of a global digital identity ecosystem, with the Identity "commandments" directly translating into the principles behind Identity 3.0.

Key publications

Position papers

External articles

  1. Alan Lawson “A World without Boundaries” Butler Review Journal Article April 2005 http://www.butlergroup.com/research/DocView.asp?ID={BD1E4C70-F644-42F1-903E-CDBC09A38B8D} [Membership required to access document] “Deperimeterisation has become more than an interesting idea it is now a requirement for many organisations. Vendors have shown an increasing willingness to listen to the user community, but in the absence of a coherent voice from the end-users themselves, may have been uncertain about to whom they should be listening. As long as Jericho [Forum] can continue to build upon its foundations and successfully integrate vendor input into its ongoing strategies, then we see no reason why this community should not become a strong and valuable voice in the years ahead.”
  2. Paul Stamp, & Robert Whiteley with Laura Koetzle & Michael Rasmussen “Jericho Forum Looks To Bring Network Walls Tumbling Down” Forrester http://www.forrester.com/Research/Document/Excerpt/0,7211,37317,00.html [Chargeable document] “The Jericho Forum is turning current security models on their heads, and it’s likely to affect much more than the way companies look at orthodox IT security. Jericho’s approach touches on domains like digital rights management, network quality of service, and business partner risk management.”
  3. Angela Moscaritolo "Cloud computing presents next challenge" SC World Congress Dec 2008 http://www.scmagazineus.com/SC-World-Congress-Cloud-computing-presents-next-challenge/article/122288/ "Jericho Forum – which has been preaching the notion of security in an open-network environment since the group was founded more than four years ago – next year plans to focus on the necessary steps to secure the cloud. But the forum is relying on IT security professionals for help, Seccombe said. “The very idea of bolting on security when you have already moved to the cloud is dumb,” he said. “You can't bolt security into the cloud; you need to build it in.”

See also

Related Research Articles

The Open Group is a global consortium that seeks to "enable the achievement of business objectives" by developing "open, vendor-neutral technology standards and certifications." It has over 840 member organizations and provides a number of services, including strategy, management, innovation and research, standards, certification, and test development. It was established in 1996 when X/Open merged with the Open Software Foundation.

Quantum Corporation is a data storage, management, and protection company that provides technology to store, manage, archive, and protect video and unstructured data throughout the data lifecycle. Their products are used by enterprises, media and entertainment companies, government agencies, big data companies, and life science organizations. Quantum is headquartered in San Jose, California and has offices around the world, supporting customers globally in addition to working with a network of distributors, VARs, DMRs, OEMs and other suppliers.

<span class="mw-page-title-main">Dell EMC</span> Computer storage business

Dell EMC is an American multinational corporation headquartered in Hopkinton, Massachusetts and Round Rock, Texas, United States. Dell EMC sells data storage, information security, virtualization, analytics, cloud computing and other products and services that enable organizations to store, manage, protect, and analyze data. Dell EMC's target markets include large companies and small- and medium-sized businesses across various vertical markets. The company's stock was added to the New York Stock Exchange on April 6, 1986, and was also listed on the S&P 500 index.

Product data management (PDM) should not be confused with product information management (PIM). PDM is the name of a business function within product lifecycle management (PLM) that denotes the management and publication of product data. In software engineering, this is known as version control. The goals of product data management include ensuring all stakeholders share a common understanding, that confusion during the execution of the processes is minimized, and that the highest standards of quality controls are maintained.

Enterprise content management (ECM) extends the concept of content management by adding a timeline for each content item and, possibly, enforcing processes for its creation, approval and distribution. Systems using ECM generally provide a secure repository for managed items, analog or digital. They also include one methods for importing content to bring manage new items, and several presentation methods to make items available for use. Although ECM content may be protected by digital rights management (DRM), it is not required. ECM is distinguished from general content management by its cognizance of the processes and procedures of the enterprise for which it is created.

Software as a service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. SaaS is also known as "on-demand software" and Web-based/Web-hosted software.

<span class="mw-page-title-main">Open Grid Forum</span> Computing standards organization

The Open Grid Forum (OGF) is a community of users, developers, and vendors for standardization of grid computing. It was formed in 2006 in a merger of the Global Grid Forum and the Enterprise Grid Alliance. The OGF models its process on the Internet Engineering Task Force (IETF), and produces documents with many acronyms such as OGSA, OGSI, and JSDL.

Collaboration Oriented Architecture (COA) is a computer system that is designed to collaborate, or use services, from systems that are outside of the operators control. Collaboration Oriented Architecture will often use Service Oriented Architecture to deliver the technical framework.

In information security, de-perimeterisation is the removal of a boundary between an organisation and the outside world. De-perimeterisation is protecting an organization's systems and data on multiple levels by using a mixture of encryption, secure computer protocols, secure computer systems and data-level authentication, rather than the reliance of an organization on its network boundary to the Internet. Successful implementation of a de-perimeterised strategy within an organization implies that the perimeter, or outer security boundary, was removed.

GlobalSign was one of the first Certificate Authorities (CAs) to be WebTrust audited. It is a provider of identity and security solutions for the Internet of Things (IoT). As of January 2015, Globalsign was the 4th largest certificate authority in the world according to the Netcraft survey.

<span class="mw-page-title-main">Entrust</span>

Entrust Corp., formerly Entrust Datacard, provides software and hardware used to issue financial cards, e-passport production, user authentication for those looking to access secure networks or conduct financial transactions, trust certificated for websites, mobile credentials, and connected devices. The privately-held company is based in Shakopee, Minnesota and employs more than 2,500 people globally.

Information governance, or IG, is the overall strategy for information at an organization. Information governance balances the risk that information presents with the value that information provides. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with legal discovery. An organization can establish a consistent and logical framework for employees to handle data through their information governance policies and procedures. These policies guide proper behavior regarding how organizations and their employees handle information whether it is physically or electronically created (ESI).

The Computing Technology Industry Association, more commonly known as CompTIA, is an American non-profit trade association that issues professional certifications for the information technology (IT) industry. It is considered one of the IT industry's top trade associations.

<span class="mw-page-title-main">Avast Antivirus</span> Antivirus computer program

Avast Antivirus is a family of cross-platform internet security applications developed by Avast for Microsoft Windows, macOS, Android and iOS. The Avast Antivirus products include freeware and paid versions that provide computer security, browser security, antivirus software, firewall, anti-phishing, antispyware, and anti-spam among other services.

HP CloudSystem is a cloud infrastructure from Hewlett Packard Enterprise (HPE) that combines storage, servers, networking and software.

Cisco Prime is a network management software suite consisting of different software applications by Cisco Systems. Most applications are geared towards either Enterprise or Service Provider networks. There is Cisco Network Registrar among those.

Secure Islands Technologies Ltd. was an Israeli privately held technology company headquartered in Beit Dagan which was subsequently acquired by Microsoft. The company develops and markets Information Protection and Control (IPC) solutions.

Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. The term has become established to demonstrate the technological and functional differences between traditional information technology (IT) systems and industrial control systems environment, the so-called "IT in the non-carpeted areas".

A secure access service edge (SASE) is technology used to deliver wide area network (WAN) and security controls as a cloud computing service directly to the source of connection rather than a data center. It uses cloud and edge computing technologies to reduce the latency that results from backhauling all WAN traffic over long distances to one or a few corporate data centers, due to the increased movement off-premises of dispersed users and their applications. This also helps organizations support dispersed users and their devices with digital transformation and application modernization initiatives.

The zero trust security model, also known as zero trust architecture (ZTA), zero trust network architecture or zero trust network access (ZTNA), and sometimes known as perimeterless security, describes an approach to the design and implementation of IT systems. The main concept behind the zero trust security model is "never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified. ZTNA is implemented by establishing strong identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly authorized resources. Most modern corporate networks consist of many interconnected zones, cloud services and infrastructure, connections to remote and mobile environments, and connections to non-conventional IT, such as IoT devices. The reasoning for zero trust is that the traditional approach — trusting devices within a notional "corporate perimeter", or devices connected via a VPN — is not relevant in the complex environment of a corporate network. The zero trust approach advocates mutual authentication, including checking the identity and integrity of devices without respect to location, and providing access to applications and services based on the confidence of device identity and device health in combination with user authentication. The zero trust architecture has been proposed for use in specific areas such as supply chains

References

  1. Dobson, Ian; Hietala, Jim (29 October 2013). "Jericho Forum Declares "Success" and Sunsets". Opengroup.org. Retrieved 2018-02-27.
  2. https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf [ bare URL PDF ]
  3. "Jericho Forum declares "success" and sunsets". 29 October 2013.